Compliance Essentials News - April 2019
Here's the selection of the most informative compliance news stories this month - regulatory announcements, market studies, and stories about compliance lapses and downright disregard of laws/regulations. You'll also find links to resources for you to use in your compliance programme.
Select the links or scroll down for more details.
- Recruitment fraud costs UK businesses £24bn a year
- CNIL report tells of 'exceptional year'
- 'Bounty'-ful fines for pregnancy club
- Practice manager fined for data breach
- Uber investigated over grease and charitable payments
- £15.3tn of assets at risk of climate change
- Acteon Group to pay $441,000 for sanctions violations
- Bank pays $1.3 billion penalty over sanctions violations
- FCA to beef up AML supervision through OPBAS
- Line of duty: NCA prepares to tackle illicit finance
- Cyber Security Breaches Survey 2019 highlights phishing email vulnerability
- Banks to face 'ethical hacking' tests
Recruitment fraud costs UK businesses £24bn a year
Have you ever taken someone on without fully checking their credentials? Maybe you've thought about over-embellishing your qualifications or experience to land your dream job in the past? If so, you're not alone.
Research by Crowe UK and the University of Portsmouth has found that recruitment fraud is costing UK businesses £24 billion a year. When CV checks were carried out on 5,000 employees, over three-quarters had discrepancies, with 12% falsifying grades and a fifth exaggerating their job titles.
With fake documents, bogus references and a half of businesses admitting they did not vet prospects at all, companies are leaving themselves dangerously exposed to insider fraud. In one example, a contractor, who having made a good impression and was taken on by a European bank without checks, went on to defraud it of €5 million. In another, a local authority unwittingly employed a convicted fraudster.
It doesn't just affect companies either. 1 in 10 jobseekers have been tricked by recruitment scams, with some even handing over their bank details for jobs that don't exist.
Keith Rosser, chair of the Metropolitan Police's SAFERjobs initiative said, "It's often personal reasons that cause people to defraud companies. Some people have histories of debt or challenges in their personal life that trigger these actions."
Firms are being urged to conduct due diligence checks and to be alert to red flags of fraud. Would you know what signs to look for?
CNIL report tells of 'exceptional year'
CNIL, the French data protection regulator, has released its report for 2018, marking an 'exceptional year'.
In its key findings, we can see the impact that GDPR has had on individuals and companies:
- Individuals are much more aware of data protection issues and CNIL saw a record-breaking 32.5% jump in complaints (to 11,077 complaints in 2018)
- The majority of complaints (35.7%) related to the sharing of individuals' personal data online and people exercising their right to be forgotten
- There was also a surge in organisations looking for help - CNIL got an influx of enquiries from people wanting advice on how to comply. The 'GDPR effect' led to almost 190,000 calls and 8 million visits to its website (up by 22% and 80% respectively on 2017).
Say what you like about GDPR, it's certainly making waves…
'Bounty'-ful fines for pregnancy club
Bounty UK, the pregnancy and parenting club, has received a £400k fine for sharing the personal data of more than 14 million people without their knowledge.
The pregnancy club - which provides free samples, offers and vouchers via apps, online and directly to new mums in hospital - failed to tell them that their personal information was being shared with 39 other organisations, including credit reference and marketing agencies. 34.3 million records were shared between June 2017 and April 2018.
Describing the breach as "unprecedented", the ICO's director of investigations said the "careless" data-sharing would have caused distress to "potentially vulnerable" people, including new mothers and children.
With echoes of Zuckerberg's apology to Congress, Bounty's managing director Jim Kelleher said, "In the past, we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough".
When the tide went out, it seems some people were certainly caught swimming naked…
Practice manager fined for data breach
With the summer holidays fast approaching, you may be thinking about how to keep in touch with the office. If you're tempted to forward information to your personal email, you better read this…
A former GP practice manager who worked in Derby has been fined a total of £514 for sending personal data to her own email account. The fine may well have been bigger today, but she was prosecuted under the 1998 Act due to when the offence took place. And on this note, you may be interested in reading our previous blog on the biggest fines for data breaches pre and post GDPR.
To protect yourself at work, remember:
- Don't access personal data without a valid business reason
- Only share personal data with people who have a 'need to know'
- Don't forward personal information to your private email
- Be open and transparent about how you intend to use people's data
Uber investigated over grease and charitable payments
Ride-hailing firm Uber has confirmed that it's being investigated over possible corrupt payments in five countries, including Malaysia, China, India and Indonesia.
According to reports, the DOJ is asking about "small payments to police in Indonesia". Hm, small payments? Would that be facilitation payments, perchance?
In fact, the case isn't new. Media reports dating back to 2017 confirm Uber staff made small payments to police in return for them ignoring a support office operating outside the business zones in Jakarta.
Then, there's also the matter of Uber's corporate donation of "tens of thousands of dollars" to the Malaysian Global Innovation and Creativity Center. Within 12 months, a government sponsor had invested $30 million in Uber and legislation favourable to Uber had also been passed.
As generous donations from wealthy corporates currently flood in to rebuild the fire-stricken Notre Dame, exactly what are the red flags when it comes to charitable giving? Think about:
- Who is asking for the donation?
- Did they request or drop hints about the donation?
- Does a government official hold a key position at the charity? If not, how about other family members or connected persons?
- Is there a tax donation? Be suspicious of companies not seeking a tax benefit
Download our free Anti-Bribery Training Presentation to refresh your employees on the laws surrounding bribery.
£15.3tn of assets at risk of climate change
The global financial system is facing an existential threat from climate change and urgent action is needed. No, these aren't the words of an environmental pressure group, but the Governors of the Bank of England and the Banque de France who have issued the stark warning.
Mark Carney and François Villeroy de Galhau cautioned, "If some companies and industries fail to adjust to this new world, they will fail to exist."
The report says banks and insurers face considerable risks from weather events - such as droughts, floods and rising sea levels. In turn, these physical risks could impact the value of assets and collateral, and also disrupt business operations (e.g. power outages and branch closures).
The Bank of England has warned that £15.3 trillion of "stranded assets" – e.g. unburnable carbon - could effectively become worthless.
It's urging financial institutions to:
- Assess their resilience to climate change risks
- Integrate sustainability into portfolio management
- Bridge any data gaps to enhance assessment of climate change risks
- Build in-house capacity and knowledge with other stakeholders on how to manage climate-related financial risks
Acteon Group to pay $441,000 for sanctions violations
Acteon Group, a UK subsea service provider, has agreed to pay $441,000 for breaching US sanctions that prohibit business with Iranian and Cuban entities.
The firm, along with its subsidiary 2H Offshore and two Malaysian affiliates, admitted seven violations dating back to 2011 when it provided engineering design analyses and allowed its engineers to conduct workshops in Cuba.
In addition, its Seatronics subsidiary in Abu Dhabi rented or sold equipment for use by customers on vessels operating in Iranian territorial waters.
The firm has agreed to bolster its internal compliance and must certify annually that it is compliant for the next five years.
It's definitely been a busy month for OFAC, the Federal Reserve and the New York Department for Financial Services (DFS)…
Bank pays $1.3 billion penalty over sanctions violations
UniCredit Bank is to pay $1.3 billion in penalties after it admitted processing "hundreds of millions of dollars of transactions" on behalf of sanctioned Iranian entities through the US financial system. For ten years, the bank moved $393 million through the US financial system and also conspired to conceal restrictions.
When the bank introduced an automated 'embargo tool' to flag transactions likely to violate sanctions, its compliance department issued an instructional guide - effectively providing a workaround to enable employees to dodge red flags and process transactions in an "OFAC-neutral" way, according to the regulator.
FCA to beef up AML supervision through OPBAS
The Financial Conduct Authority (FCA) has promised to beef up supervision of the professional bodies and associations it oversees after a report by its Office for Professional Body Anti-Money Laundering Supervision (OPBAS) revealed some worrying findings.
- 23% of Professional Body Supervisors (PBSs) undertook no AML supervision of its members, 80% lacked appropriate governance arrangements, and 91% were not fully applying a risk-based approach
- 23% of accountancy PBSs outsourced its AML compliance assessments to another PBS or an external third party
- 40% of employees in PBSs were unsure of their reporting obligations for suspicious activity
- 80% of professional bodies lacked appropriate training
- 36% lacked proper record keeping policies
- 91% had yet to start or were in the process of gathering information required for ML/TF risk profiling
The clock is ticking. The FCA has confirmed in its business plan that it will extend its SMCR regime to all entities it supervises by December, holding all executives to account for financial crime violations.
Find out how you can recognise signs of money laundering in your firm in this interview with Financial Crime Prevention Consultant, Martin Schofield.
Line of duty: NCA prepares to tackle illicit finance
Meanwhile, in 2019/2020, the National Crime Agency intends to fully maximise its latest powers of Account Freezing Orders and Unexplained Wealth Orders (UWOs) to tackle illicit finance, which costs the UK economy £160 billion annually, and is also promising to reform the Suspicious Activity Report regime.
In its annual report, it commits to implementing the Financial Action Task Force inspection recommendations to improve the quality of financial intelligence that is available to competent authorities and to better exploit the available SAR data.
The database currently holds 2.3 million SARs.
Cyber Security Breaches Survey 2019 highlights phishing email vulnerability
Of these, the most common attacks were:
- Phishing emails (affecting 80% of businesses, 81% of charities)
- Others impersonating their organisation online (28% of businesses, 20% of charities)
- Viruses and malware (27% of businesses, 18% of charities)
While many organisations have made changes to cybersecurity as a result of GDPR (with 60% creating new policies), only 27% of businesses and 29% of charities had providing cybersecurity training, leaving them dangerously exposed.
Having a policy won't necessarily guarantee people will know what to do when faced with a malicious actor or potential threat. You need to train your staff so that they know how to spot the signs of phishing and exactly what to do.
Banks to face 'ethical hacking' tests
In their 2019/2020 business plan, the FCA has stated that it will continue testing banks' resilience to cyberattack using the CBEST (ethical hacking) regulatory tools in partnership with the Bank of England, as part of its operational resilience priorities. It also pointed out that IT failure by third parties was the second-highest root cause of disruption to services.